Solved: Re: Route single IP to a different default gateway; different firewall

pformanko · ‎10-27-2022

I am configuring a test firewall, and I need to route traffic from single PC, via this firewall, to the Internet.

The firewall is configured with routing, inside and outside interfaces, access policy, and

- able to access both Internet and LAN

- reachable from the LAN

On the switch, we have a single default route pointing to the production firewall. What is the easiest way to route traffic from a single IP to the test firewall for Internet access?

Georg Pauwen · ‎10-27-2022

Hello,

on the switch, you could configure PBR to redirect traffic from that specific IP source address towards the test firewall. The configuration would look something like this:

access-list 101 permit ip host 192.168.1.10 any
!
route-map PBR_TEST_FW permit 10
match ip address 101
set ip next-hop x.x.x.x (where x.x.x.x the test firewall
!
interface GigabitEthernet0/0
description LAN interface
ip policy route-map PBR_TEST_FW

View solution in original post

balaji.bandi · ‎10-27-2022

Thank for the clarification, not sure what switch model, some model and switch IOS version has Access list issue. so you need to test it.

Then @Georg Pauwen suggestion is good to go, instead of gi0/0 you apply in the VLAN SVI Layer3 interface.

even if anything goes wrong, only single IP gets affected. make sure PC/ device has static IP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Georg Pauwen · ‎10-27-2022

Hello,

on the switch, you could configure PBR to redirect traffic from that specific IP source address towards the test firewall. The configuration would look something like this:

access-list 101 permit ip host 192.168.1.10 any
!
route-map PBR_TEST_FW permit 10
match ip address 101
set ip next-hop x.x.x.x (where x.x.x.x the test firewall
!
interface GigabitEthernet0/0
description LAN interface
ip policy route-map PBR_TEST_FW

pformanko · ‎10-27-2022

Hi,

Thanks. That is the approach I was taking, but wasn't sure where to apply the route-map.

I am not able to apply it to the interface as it an access interface. I was thinking about applying it to the interface VLAN the PC is part of, but as that is a production VLAN, I wasn't sure how that would affect the other traffic on that VLAN.

Is it safe to apply the route-map to the VLAN without some unintended issues?

balaji.bandi · ‎10-27-2022

some of the information not clear here?

if the switch acts Later 2 only ? (since you mentioned default routing ?)

what is the other device acting now as fw or routing in the network to the internet?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

pformanko · ‎10-27-2022

Hi,

It is a layer 3 switch. By default route, I meant gateway of last resort.

S* 0.0.0.0/0 [1/0] via 10.x.x.x

This is the inside interface of the production firewall. I would like to sent traffic from a single PC/IP to a different inside interface of a different firewall.